A new hardware security architecture generates cryptographic keys on wearable devices using 2.7 microwatts of power, roughly one-ninth the 25 microwatts consumed by the alternative it was tested against, according to a preprint posted to arXiv on 17 July [S1]. For the smartwatch on your wrist or the fitness band tracking your heartbeat, that gap could be the difference between a security feature that ships and one that gets cut to save battery. The question is whether a design this lean can survive real attacks on real silicon, or whether it stays a promising simulation.
The fingerprint baked into silicon
Every wearable device leaks. The location data, heart rate readings, and other personal information they constantly store and transmit make them a privacy and security target [S1]. The standard fix, encryption, needs cryptographic keys. Storing those keys in a chip's memory creates a single point of failure: an attacker who reads the memory gets the key.
A Physical Unclonable Function, or PUF, takes a different approach. Instead of storing a key, it derives one from microscopic manufacturing variations in the silicon itself. No two chips come out of the same wafer identical. Those tiny differences in transistor geometry and wire routing are unpredictable and impossible to clone, which makes them a natural fingerprint. Send a challenge signal through the chip, and the physical delays along different paths produce a unique response that becomes the key. The key never exists as stored data, so there is nothing to read out.
The concept is nearly two decades old, tied to the rise of the Internet of Things [S1]. What has kept it out of most wearables is power. Running the circuitry to generate and verify PUF responses costs energy that a device running on a coin cell cannot easily spare.
Two architectures, one clear winner
The preprint, authored by researchers at Texas Woman's University and Dallas College [P2], tests two delay-based PUF designs for IoT integration [S1].
The first, an Arbiter PUF, sends a signal racing down two parallel paths and uses which one arrives first as the security response. It consumes 25 microwatts to generate keys for cryptographic purposes [S1].
The second, a Hybrid Oscillator Arbiter PUF (HOA PUF), combines oscillator-based and arbiter-based approaches. It consumes 2.7 microwatts for the same task [S1].
That is an 89 percent reduction. To put it in perspective: a typical smartwatch battery holds around 800 milliwatt-hours. At 2.7 microwatts, the PUF could run continuously for over 300,000 hours on a single charge, just for the key-generation step. At 25 microwatts, that drops to about 32,000 hours. Neither number will drain your watch on its own, but in a device where every other component, from the display to the radio, competes for the same microwatts, a ninefold cut in any single component matters.
Open-source implementations of Arbiter PUFs already exist on GitHub, written in Verilog for FPGA design [P3], which suggests the building blocks are accessible to hardware teams outside large semiconductor companies.
What it means
The core idea is simple: make hardware-level security cheap enough, in energy terms, that manufacturers actually use it. Today, most wearables rely on software encryption with keys stored in memory. That works until someone finds a way to extract the key. A PUF removes the stored key entirely, replacing it with a physical property the attacker would need to physically probe the chip to replicate.
The 2.7-microwatt figure matters because it pushes PUF-based security into the power budget of the smallest, cheapest wearables. A fitness band selling for $30 has no room for a dedicated security chip. But if the PUF circuitry can be fabricated into the existing microcontroller at negligible energy cost, the security comes essentially free in hardware.
This also connects to a broader shift in lightweight security. The common thread: the next wave of device security is not about adding more encryption layers, but about making the existing ones cost almost nothing to run.
What it means for business
For a two-person hardware startup building a wearable health monitor, the practical question is whether PUF circuitry can be integrated into the microcontroller they are already using, or whether it requires a custom chip. The preprint does not answer this. It analyses architectures for IoT integration but provides no evidence of fabrication, prototyping, or testing on actual wearable hardware [S1].
For a suburban IoT device manufacturer, the power savings translate directly to battery life claims on the spec sheet. If a PUF can replace stored-key encryption at 2.7 microwatts, the marketing line writes itself: hardware-level security with no measurable impact on battery life. But that claim requires the design to survive independent testing.
For a security team at a larger wearables company, the appeal is reducing the attack surface. Stored keys can be extracted through fault injection, side-channel attacks, or firmware exploits. A PUF-derived key exists only in the physical domain. The risk is that PUFs have known vulnerabilities to machine-learning-based modelling attacks, where an attacker feeds enough challenge-response pairs into a model to predict the PUF's behaviour. The preprint does not address this threat.
What we don't know yet
The findings sit in a preprint on arXiv, categorised under computer security (cs.CR) but also, oddly, quantitative finance (q-fin.GN), which may be a metadata error [S1]. The paper has not been peer-reviewed, and the power consumption figures come from the authors' own experiments or simulations [S1]. No third party has verified or replicated the 2.7-microwatt result.
There is no evidence in the paper of fabrication, prototyping, or integration with actual wearable device hardware [S1]. The architectures are analysed for IoT systems, but the gap between analysis and a chip rolling off a production line is wide. Real silicon behaves differently from simulation: temperature variation and voltage noise can shift the delay characteristics a PUF relies on, as can chip aging over time.
The paper also does not address known attacks against Arbiter PUFs, including machine-learning modelling that can predict responses from observed challenge-response pairs. Whether the HOA design resists these attacks better than the standard Arbiter PUF is an open question.
The next concrete step would be peer review and, ideally, fabrication of the HOA PUF on a test chip to measure real-world power consumption and reliability. Until that happens, 2.7 microwatts is a claimed figure, not a verified one.
If this kind of hardware-level security interests you, subscribe to keep reading our coverage of the tools and research reshaping how devices protect your data.
Sources
- [S1] Exploring Delay-based PUFs for Energy-Efficient Low-Overhead Security of Wearable Devices — arXiv preprint (cs.CR, q-fin.GN) (attributed)
- [P2] Exploring Delay-based PUFs for Energy-Efficient Low-Overhead Security of Wearable Devices — Exploring Delay-based PUFs for Energy-Efficient Low-Overhead Security of Wearable Devices (attributed)
- [P3] zona8815/Arbiter-PUF — zona8815/Arbiter-PUF (attributed)
- [P4] Non-Abelian Mixer for QAOA on Hybrid Oscillator-Qubit Quantum Processors — Non-Abelian Mixer for QAOA on Hybrid Oscillator-Qubit Quantum Processors (attributed)
- [P5] indylab/DA-Dreamer — indylab/DA-Dreamer (attributed)
More from Not A Tech Guy
- Graph tools lift small language model molecular prediction 74%
- AI uncertainty measures unified in new risk decomposition paper
- MOJO framework decodes brain signals with little labelled data
Generated from an audited evidence pack with primary-source research. Social-media items are discussion signals, not verified facts. Nothing here is financial, legal or medical advice.